This is a double issue, covering two week's development
activity because there was no Apache Week last week (August
7th). This was due to moving office over that
weekend, which meant that network access was disrupted for
several days.

Apache 1.3.1 is the current stable release. Users of Apache
1.2.6 and earlier should look at upgrading to this version,
which provides additional features and has been subject to
extensive testing.

The bugs listed below now include a link to the entry in the
Apache bug database where the problem is being tracked. These
entries are called "PR"s (Problem Reports). Some bugs do not
correspond to problem reports if they are found by
developers.

Bugs in 1.3.1

These bugs have been found in 1.3.1 and will be fixed in the
next version.

Because of the major differences between Windows and Unix,
these are separated into bugs which affect Windows systems
only, and other bugs (which may affect Windows as well). Unix
users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

CGI scripts do not work if the interpreter pathname (on the
initial #! line)
includes spaces. PR#2495.

Other Bugs

Multiple white space characters in the configuration files
or .htaccess files were being compressed to a single space
(even within double-quoted strings).

In previous releases, when suExec was enabled within Apache
a message was printed to confirm this when Apache started.
In 1.3.1 this message was not printed. It will be in the
next release. PR#2761,
PR#2765.

The Rule IRIXN32
Configuration option for Irix systems was being ignored. PR#2736.

Messages in the error_log did not contain the client IP
address, but they used to in Apache 1.2.*. PR#2661.

One way of attacking a public web server is to send it very
large amounts of data in a request. This could be a very long
URI, a large number of headers, or a large body. Sending
large amounts of data would cause the memory usage of the
Apache child process to increase in proportion to the amount
of data, eventually using all available resources and causing
other processes to be swapped to disk, slowing the system.
This is a "denial of service" attack, since it can affect the
normal operation of the server, but does not give any access
to the server system.

The next version of Apache will include directives which can
be used to limit the size of various parts of a request. This
will be configurable because the amount of data a site can
accept or is prepared to accept will vary considerable. For
example, sites which allow uploads of large files will want
to allow large request body parts, but sites with only small
POST forms may only want to allow small body parts.

The new directives are:

LimitRequestLine,
which limits the size of the first line of the request (the
line that includes the request URI).

LimitRequestFields,
which limits the number of header lines in the request.

LimitRequestFieldsize, which
limits the size of each request line.

LimitRequestBody,
which limits the size of the body part of the request.

Patches for bugs in Apache 1.3.1 will be made available in
the apply_to_1.3.1 subdirectory of the patches
directory on the Apache site. Some new features and other
unofficial patches are available in the 1.3
patches directory. For details of all previously reported
bugs, see the Apache bug database and
known
bugs pages. Many common configuration questions are
answered in the Apache FAQ.

STATUS compile time option replaced by a directive

The STATUS option in
the Configuration file currently determines the amount of
information recorded for use by mod_status on the status page. This
can be set at compile time. From the next release, this
option has been removed. Instead the extra status information
can be recorded by setting a new run-time directive,
ExtendedStatus.

mod_speling to work at per-directory level

The mod_speling module has been enhanced so that the
CheckSpelling directive
works on a per-directory basis. This means it can be used
inside <Directory> containers and
.htaccess files.

EMX Defines changed to OS2

Code specific to OS/2 is currently surrounded by #ifdef __EMX__...#endif blocks. EMX is the name of a
compiler used on OS/2, however most of the blocks like this
are specific to OS/2, rather than the EMX compiler. From the
next release, the OS/2 specific blocks will use the constant
OS2 instead of
__EMX__.

Module Magic Number Scheme Changed

The "module magic number" is used to ensure that the version
of modules match the version of Apache that they are being
used with. Previously this was a single number, which was
updated whenever the module API changed. Updating this number
meant that all modules had to be recompiled to work with the
newer version of Apache. However some modifications, such as
adding a new API function, would not stop old modules from
working, so recompilation should be not required.

From the next release, the module magic number will come in
two parts: a "major" version number, which will be updated
whenever a change is made that means that modules have to be
recompiled, and a "minor" version number that will be
incremented to mark additions to the module API. The major
version will be used to check whether a pre-compiled module
will still work with Apache. The minor number can be used by
modules to see if new functionality is available to them. The
module magic number and a list of past changes will be
contained in the new file src/include/ap_mmn.h.

For the first time, the Netcraft Server Survey shows that
Apache is used by more than half of the world's servers.
Apache is now used on 50.35% of the servers surveyed, update
0.66% from last month. By comparison, Microsoft servers are
used on 22.69% of sites (down 0.01%) and Netscape's on 8.22%
(down 0.19%). If servers which are based on Apache but which
have changed their "Server" identification are also included,
then Apache code is used on 54.99% of servers (up 0.61%).

The Apache
Reference Card has been updated to include all the Apache
1.3.1 functionality. This "card" is available as postscript
and PDF files for printing onto a single sheet or six
separate pages, in either US letter or A4 size.

The Apache Group is organising the first ever conference
dedicated to Apache, which will be held in San Francisco this
October. ApacheCon 98 is aimed at both Apache developers and
Apache users. The tracks planned for the conference cover
dymanic content, performance tuning, security and case
studies. The conference will also feature a trade show.

For more information, see www.apachecon.com. As
well as attending, there are opportunities to exhibit at the
trade show, become a sponsor, or submit a paper to be
presented.

This new section contains short announcements of jobs which
require significant Apache experience. If you have an
suitable job announcement, send the text or HTML (less that
hundred words plus a URL) to editors@apacheweek.com.
We reserve the right to refuse any announcement.